Using Digital Certificates with IIS - Internet Information Services
Introduction
The provides all members of its Academic community, digital certificates for server usage.
In order to acquire any digital certificate from this PKI, you must first trust the Root Certification Authority that issued the .
In this document you will find step-by-step instructions on how to obtain your digital server certificate using Microsoft IIS running on Windows XP or Windows 2003 Server.
In order to acquire a server certificate you must have a valid user certificate.
Certificate Issuance
In order to request a digital certificate for your server, please navigate to Server Certificate Request using the internet browser of your choice, fill in the Full Server Name (FQDN) and click on Next.
The next step requires proof of identity and you must present a valid user digital certificate.
From the page that follows, write down the "distinguished name" that is shown, for example "CN=aserver.domain.auth.gr, OU=School of Something, O=Aristotle University of Thessaloniki, C=GR".
Login to your server where you have installed IIS and create a folder named "C:\certRequest"
Within this folder, create a file named "server.inf" and add the following data:
[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "Email=root@mus.auth.gr, CN=myserver.mus.auth.gr, OU=School of Music Studies, O=Aristotle University of Thessalo
niki, C=GR"
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
KeyLength = 1024
KeySpec = 1
KeyUsage=0xa0
MachineKeySet = TRUE
EncipherOnly = FALSE
Exportable = FALSE
PrivateKeyArchive = FALSE
ProviderType = 12
UseExistingKeySet = FALSE
UserProtected = FALSE
RequestType = PKCS10
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[RequestAttributes]
CertificateTemplate=WebServer
Modify the data of the Subject field accordingly so that the "distinguished name" of the application webpage is included in the requested certificate. Optionally, you may include an e-mail address of an administrator or a team of administrators.
We created for your convenience, a prototype file server.inf which you may download.
After this step, from a command line window of your IIS server host(cmd), go to the folder "C:\certRequest" and execute the following command:
| certreq -new -f -q server.inf server.req |
The certificate request is stored in a file named "server.req". Open this file with a word processing program like notepad, copy its contents and paste them to field "Application in PKCS10 form" in the certification issuance web page. Finally, submit the application.
Your application will be processed and you will notified by e-mail when your certificate is ready. When you receive a reply e-mail stating that your digital certificate has been issued, you must follow the included link in order to receive and start using your certificate.
Activaton of SSL - Secure Sockets Layer Communication
Retrieve and store your server certificate by selecting
"Certificate retrieval in binary format with certificate chain". (cert.p7b).
At this point, you must convert the "cert.p7b" file into ASCII BASE64 format by using the following command:
| certutil -encode cert.p7b cert.b64.p7b |
where "cert.p7b" is the name of the file containing the entire certificate chain.
Finally, we import the new certificate along with the certificate chain with the follogin command:
| certreq -accept cert.b64.p7b |
To activate the SSL communication, open the IIS console management from "Control Panel"->"Administrative Tools"->"Computer Management" and then open "Services and Applications"->"Internet Information Services"->"Web Sites"->"Default Web Site." Right click over the Default Web Site, select Properties and from the Directory Security tab, click on Server Certificate.
A Wizard will start. Click Next and then choose the "Assign an existing certificate" option.
Select the available certificate and click Next
Continue selecting Next and in the end Finish to complete the process.
Finally, we activate the SSL communication from the following menu:
"IIS configuration"->"Web Site tab"->"Advanced"->
"Multiple SSL identities for this Web Site" and declare default ip address port 443.
Making sure a User has trusted the Root Certification Authority
User's are able to view any secure pages after they have trusted the Root Certification that issued the . Please use this link to make sure they have trusted the Root Certification Authority Certificate: